Category Archives: open source

At least 16 NHS trusts out of 47 that were hit by the ransomware attack continue to face problems, according to BBC research.

And, as some patients continued to have their cancer treatments postponed, Tory, Labour and Lib-dem politicians told of their plans to spend more money on NHS IT.

But will any new money promised by government focus on basic weaknesses – such as the lack of interoperability and the structural complexities that made the health service vulnerable to cyber attack?

Last year when the health secretary Jeremy Hunt announced £4bn for NHS IT, his focus was on new technologies such as smartphone apps to order repeat prescriptions rather than any urgent need to upgrade MRI, CT and other medical devices that rely on Windows XP.

The Government’s position is that the NHS was not specifically targeted in the cyber attack and that the Tories are putting £2bn into cyber security over the next year.

Theresa May said yesterday,

“It was clear warnings were given to hospital trusts but this is not something that was focused on attacking the NHS. 150 countries are affected. Europol says there are 200,000 victims across the world. Cyber security is an issue we need to address.

“That’s why the government, when we came into government in 2010, put money into cyber security. It’s why we are putting £2bn into cyber security over the coming year.”

Similarly Jeremy Hunt, health secretary, told the BBC that the attack affected international sites that have “some of the most modern IT systems”.

But the BBC’s World at One gave an example of how the NHS’s IT problems were affecting the lives of patients.

It cited the case of Claire Hobday whose radiography appointment for breast cancer at Lincoln County Hospital was cancelled on Friday (12 May 2017) and she still doesn’t know when she’ll receive treatment. Hobday said,

“I turned up by hospital transport for my second radiotherapy session, and I, along with many other patients – at least 20 other people were waiting – and they said the computers weren’t working.

“I do have to say the staff were very good and very quickly let us all know that they were having trouble with the computers. They didn’t want to misinform us, so they were going to come and talk to us all individually and hoped they would be able to rectify it.

“Within half an hour or so they came out and said, ‘We’re really sorry but it’s not going to get sorted. We’ll send you all home and give you a call on Sunday’ which didn’t happen.

“But they did ring me this morning (15 May 2017) to say it’s not happening today and if transport turns up please don’t get in it, and it’s very unlikely it will happen tomorrow.

“It is just a bit upsetting that other authorities have managed to sort it but Lincolnshire don’t seem to have been able to do that.”

United Lincolnshire Hospitals Trust told World at One it will be back in touch with patients once the IT system is restored.

Roy Grimshaw was in the middle of an MRI scan – after dye was injected into his blood stream – when the scan was stopped and he was asked to go back into the waiting room in his gown, with tubes attached to him, while staff investigated a computer problem. After half an hour he was told the NHS couldn’t continue the scan.

Budgets “not an issue”?

GP practices continue to be affected. Keiran Sharrock, GP and medical director of Lincolnshire local medical committee, said yesterday (15 Mat 2017) that systems were switched off in “many” practices.

“We still have no access to medical records of our patients. We are asking patients to only contact the surgery if they have an urgent or emergency problem that needs dealing with today. We have had to cancel routine follow-up appointments for chronic illnesses or long-term conditions.”

Martha Kearney – BBC World at One presenter – asked Sharrock about NHS Digital’s claim that trusts were sent details of a security patch that would have protected against the latest ransomware attack.

“I don’t think in general practice we received that information or warning. It would have been useful to have had it,” replied Sharrock.

Kearney – What about claims that budget is an aspect of this?

Sharrock: “Within general practice that doesn’t seem to be the reason this happened. Most general practices have people who can work on their IT and if we’d been given the patch and told it needed to be installed, most practices would have done that straight away.”

GCHQ

World at One also spoke to Ciaran Martin, Director General for Government and Industry Cyber Security. He is a member of the GCHQ board and its senior information risk owner. He used to be Constitution Director at the Cabinet Office and was lead negotiator for the Prime Minister in the run-up to the Edinburgh Agreement in 2012 on a referendum on independence for Scotland.

Kearney: Did your organisation issue any warnings to the health service?

Martin: “We issue warnings and advice on how to upgrade defences constantly. It’s generally public on our website and it’s made very widely available for all organisations. We are a national organisation protecting all critical sectors and indeed individuals and smaller organisations as well.”

Huge sums spent on paying ransoms?

Kearney asked Martin, “How much money are you able to estimate is being spent on ransoms as a result of these cyber attacks?” She added,

“I did hear one astonishing claim that in the first quarter of 2016 more money was spent in the USA on responding to ransomware than [was involved] in armed robberies for the whole of that year?”

Martin: “First let me make clear that we don’t condone the payment of ransoms and we strongly advise bodies not to pay and indeed in this case the Department of Health and the NHS have been very clear that affected bodies are not to pay ransoms. Across the globe there is, sadly, a market in ransomware. It is often the private sector in shapes and sizes that is targeted.”

Martha Kearney said the UK may be a target because it has a reputation for being willing to pay ransoms.

Martin, “We are no more or less a target for ransomware than anywhere else. It’s a global business; and it is a business. It is all about return on investment for the attacker.

“What’s important about that is that it’s all about upgrading defences because you can make the return on investment lower by making it harder to get in.”

If an attacker gets in the aim must be to make it harder to get anything useful, in which case the “margin on investment goes down”. He added,

“That’s absolutely vital to addressing this problem.”

Are governments at fault?

Martin,

“Vulnerabilities will always exist in software. Regardless of who finds the underlying software defect, it’s incumbent on the entire cyber security ecosystem – individual users, enterprises, governments or whoever – to work together to mitigate the harm.”

He added that there are “all sorts of vulnerabilities out there” including with open source software.

Windows XP

Computer Weekly reports – convincingly – that the government did not cancel an IT support contract for XP.

Officials decided to end a volume pricing deal with Microsoft which left NHS organisations to continue with XP support if they chose to do so. This was clearly communicated to affected departments.

Government technology specialists, reports Computer Weekly, did not want a volume pricing deal with Microsoft to be “comfort blanket” for organisations that – for their own local reasons – were avoiding an upgrade from XP.

Computer Weekly also reported that civil servants at the Government Digital Service expressed concerns about the lack of technical standards in the NHS to the then health minister George Freeman.

Freeman was a Department of Health minister until July 2016. In their meeting with Freeman, GDS officials emphasised the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.

A source told Computer Weekly that Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in a heavily-federated NHS but it was not considered a priority at that top political level.

“Hunt never grasped the problem,” said the source.

There are doubts, though, that Hunt could have forced trusts to implement national IT security standards even if he’d wanted to. NHS trusts are largely autonomous and GDS has no authority to mandate technical standards. It can only advise.

How our trust avoided being hit

A comment by an NHS IT lead on Digital Health’s website gives an insight into how his trust avoided being hit by the latest cyber attack. He said his trust had a “focus on perimeter security” and then worked back to the desktop.

“This is then followed up by lots of IG security pop ups and finally upgrading (painfully) windows XP to windows 7…” He added,

“NHS Digital have to take a lead on this and enforce standards for us locally to be able to use.”

He also suggests that NHS Digital sign a Microsoft Enrollment for Windows Azure [EWA] agreement as it is costly arranging such a deal locally.

“NHS Digital must for me, step in and provide another MS EWA as I am sure the disruption and political fall-out will cost more. Introduce an NHS MS EWA, introduce standards for software suppliers to comply with latest OS and then use CQC to rate organisations that do not upgrade.”

Another comment on the Digital Health website says that even those organisations that could afford the deployment costs of moving from XP to Windows 7 were left with the “professional” version, which “Microsoft has mercilessly withdrawn core management features from (e.g. group policy features)”.

The comment said,

“There are a lot of mercenary enterprises taking advantage of the NHS’s inability to mandate and coordinate the required policies on suppliers which would at least give the under-funded and under-appreciated IT functions the ability to provide the service they so desperately want to.”

A third comment said that security and configuration management in the NHS is “pretty poor”. He added, “I don’t know why some hospitals continue to invest in home-brew email systems when there is a national solution ready and paid for.

“In this recent attack most the organisations hit seem to use local email systems.”

He also criticised NHS organisations that:

Do not properly segment their networks

Allow workstations to openly and freely connect to each other in a trusted zone.

Do not have a proper patch / update management regime

Do not firewall legacy systems

Don’t have basic ACLs [access control lists)

Three lessons?

Give GDS the ability to mandate no matter how many Sir Humphreys would be upset at every challenge to their authority. Government would work better if consensus and complacency at the top of the civil service were regarded as vices, while constructive, effective and forceful criticism was regarded as a virtue.

Give the NHS money to spend on the basic essentials rather than nice-to-haves such as a paperless NHS, trust-wide wi-fi, smartphone apps, telehealth and new websites. The essentials include interoperability – so that, at the least, all trusts can send test results and other medical information electronically to GPs – and the upgrading of medical devices that rely on old operating systems.

Plan for making the NHS less dependent on monolithic Microsoft support charges.

On the first day of the attacks, Microsoft released an updated patch for older Windows systems “given the potential impact to customers and their businesses”.

Reuters reported last night that the share prices of cyber security companies “surged as investors bet on governments and corporations spending to upgrade their defences”.

Network company Cisco Systems also closed up (2.3%), perhaps because of a belief that it would benefit from more network spending driven by security needs.

Security company Avast said the countries worst affected by WannaCry – also known as Wannacypt – were Russia, Taiwan, Ukraine and India.

Comment

In a small room on the periphery of an IT conference on board a cruise ship , nearly all of the senior security people talked openly about how their board directors had paid ransoms to release their systems after denial of service attacks.

Some of the companies – most of them household names – had paid ransoms more than once.

Until then, I’d thought that some software suppliers tended to exaggerate IT security threats to help market their solutions and services.

But I was surprised at the high percentage of large companies in that small room that had paid ransoms. I no longer doubted that the threats – and the damage – were real and pervasive.

The discussions were not “off-the-record” but I didn’t report their comments at the time because that would doubtless have had job, and possibly even career ramifications, if I had quoted the security specialists by name.

Clearly ransomware is, as the GCHQ expert Kieran Martin put it, a global business but, as ransoms are paid secretly – there’s not a whisper in corporate annual accounts – the threat has not been taken seriously enough in some parts of the NHS.

The government’s main defence is that the NHS was not targeted specifically and that many private organisations were also affected.

But the NHS has responsibility for lives.

There may be a silver lining if a new government focuses NHS IT priorities on the basics – particularly the structural defects that make the health service an easy target for attackers.

What the NHS doesn’t need is a new set of politicians and senior civil servants who can’t help massaging their egos and trying to immortalise their legacy by announcing a patchwork of technological marvels that are fun to work on, and spend money on, but which gloss over the fact that much of the NHS is, with some notable exceptions, technologically backward.

The NHS e-Referral Service which launched nationally on Monday was “unavailable until further notice”, the Health and Social Care Information Centre said at 9.30am today.

“Due to issues experienced overnight the NHS e-Referral Service is unavailable until further notice while essential maintenance is performed. If you have local business continuity processes available, we recommend that you consider invoking them,” says the HSCIC on its website.

“We are working hard to resolve these issues as quickly as possible and to keep disruption to a minimum… We apologise for the disruption caused to some users and thank everyone for their patience.”

Late yesterday afternoon the Health and Social Care Information Centre warned GPs and other users of its e-Referral Service that technical problems were continuing.

The difficulties have aggravated cynicism in the GP community about the ability of centrally-based officials to implement national IT systems.

Is it too soon to question whether e-Referrals is the first IT disaster of the new government? There is also the question of whether GPs have been used as guinea pigs to test for problems with the new system.

Until the service went down GPs were in any case unable to log in or were experiencing long delays in arranging referrals. Some reverted to sending letters by post – or always did use the post and avoided the NPfIT Choose and Book system which e-Referral is replacing.

Fewer than 60% of GPs used Choose and Book to hospital appointments for patients.

On its website at 17.30 yesterday the HSCIC said:

“PLEASE PASS THIS ON TO COLLEAGUES WHO USE THE NHS e-REFERRAL SERVICE

“The NHS e-Referral Service has been used by patients and professionals today to complete bookings and referrals comparable with the number on a typical Tuesday but we were continuing to see on-going performance and stability issues after yesterday’s fixes.

“We suspend access to the system at lunchtime today to implement another fix and this improved performance and stability in the afternoon.

“We are continuing to monitor the service and will implement further fixes if required. If users notice any further issues they should log them with their local service desk in the usual way…

“We apologise for the disruption caused to some users and thank everyone for their patience.

Update 14.00 17 June

The Health and Social Care Information Centre said the e-Referral Service was still down.

“HSCIC are completing the final stage of testing a number of fixes to the NHS e-Referrals Service. It is hoped that the service will be available again later today. A further update will be issued at 15:00 today.”

Update 18.00 17 June

Said the HSCIC:

“The NHS e-Referrals Service is now available again. We apologise for the disruption caused to users and thank everyone for their patience.

Update 15.00 18 June – ongoing problems

“Yesterday’s outage enabled us to implement a number of improvements and hopefully this is reflected in your user experience today,” said HSCIC’s website.

“This morning users reported that there were ongoing performance issues so work has now taken place to implement changes to the configuration to the NHS e-Referral Service hardware and we are currently monitoring closely to see if this resolved the issue.”

Were GPs guinea pigs for live testing of the new national NHS e-Referral Service?

Between 2004 and 2010 the Department of Health marked as confidential its lists of problems with national NPfIT systems, in particular Choose and Book.

So the Health and Social Care Information Centre deserves praise for publishing a list of problems when it launched the national “e-Referrals” system on Monday. But that list was 9 pages long.

The launch brought unsurprised groans from GPs who are used to new national systems going live with dozens of known problems.

The e-Referral Service, built on agile “techniques” and based on open source technology, went live early on Monday to replace “Choose and Book” for referring GP patients to hospitals and to other parts of the NHS.

Some GPs found they could not log on.

“As expected – cannot refer anything electronically this morning. Surprise surprise,” said one GP in a comment to “Pulse” on its article headlined “Patient referrals being delayed as GPs unable to access e-Referrals system on launch day.”

Another GP said: “I was proud never to have used Choose and Book once. Looks like this is even better!”

Other GPs said they avoided using technology to refer patients.

“Why delay referral? Just send a letter. (Some of us never stopped).”

Another commented: “I still send paper referrals – no messing, you know it has gone, no time wasted.”

Dr Faisal Bhutta, a GP partner in Manchester, said his practice regularly used Choose and Book but on Monday morning he couldn’t log in. “You can’t make a referral,” he said.

The Health and Social Care Information Centre has apologised for the disruption. A statement on its website says:

“There are a number of known issues, which are currently being resolved. It is not anticipated that any of these issues will pose a clinical safety risk, cause any detriment to patient care or prevent users from carrying out essential tasks. We have published the list of known issues on our website along with details of how to provide feedback .”

But why did the Centre launch the e-Referral Service with 9 pages of known problems? Was it using GPs as guinea pigs to test the new system?

Comment

The Health and Social Care Information Centre is far more open, less defensive and a better communicator than the Department of Health ever was when its officials were implementing the NPfIT.

But is the HSCIC’s openness a good thing if it’s accompanied by a brazen and arrogant acceptance that IT can be introduced into the NHS without a care whether it works properly or not?

In parts of the NHS, IT works extraordinarily well. Those who design, test, implement and support such systems care deeply about patients. In many hospitals the IT reduces risks and helps to improve the chances of successful outcomes.

But in other parts of the NHS are some technology enthusiasts – at the most senior board level – who seem to believe that all major IT implementations will be flawed and will be improved by user feedback.

The result is that IT that’s inadequately designed, tested and implemented is foisted on doctors and nurses who are expected to get used to “teething” troubles.

This is dangerous thinking and it’s becoming more and more prevalent.

Many poorly-considered implementations of the Cerner Millennium electronic patient record system have gone live in hospitals across England with known problems.

In some cases, poor implementations – rather than any faults with the system itself – have affected the care of patients and might have contributed to unnecessary deaths when records needed urgently were not available, or hospitals lost track of urgent appointments.

A CQC report in March 2015 said IT was a possible factor in the death of a patient because NHS staff were unable to access electronically-held information.

Within NHS officialdom is a growing cultural acceptance that somehow a poor IT implementation is different to a faulty x-ray machine that delivers too high a dose of radiation.

NHS officials will always brush off IT problems as teething and irrelevant to the care and safety of patients. Just apologise and say no patient has come to any harm.

So little do IT-related problems matter in the NHS that unaccountable officials at the HSCIC have this week felt sufficiently detached from personal accountability to launch a national system knowing there are dozens of problems with the use of it.

Their attitude seems to be: “We can’t know everything wrong with the system until it’s live. So let’s launch the system and fix the problems as GPs give us their feedback.”

This is a little like the NHS having a template letter of regret to send to relatives and families of patients who die unexpectedly in the care of the NHS. Officials simply fill in the appropriate name and address. The NHS can then fix the problems as and when patients die.

It’s surely time that bad practice in NHS IT was eradicated. Board members need to question more. When necessary directors must challenge the blind positivism of the chief executive.

Some managers can learn much about the culture of care at the hospitals that implement IT successfully.

Patients, nurses and doctors do not exist to tell hospital managers and IT suppliers when electronic records are wrong, incomplete, not available or are somebody else’s record with a similar name.

And GPs do not exist to be guinea pigs for testing and providing feedback on new national systems such as the e-Referral Service.

HP has written to the Treasury questioning whether it is worthwhile competing for contracts if the Government is no longer interested in doing business with multinationals, says The Independent.

Cabinet Office minister Francis Maude is encouraging departments to spend more with SMEs and be less reliant on a small number of major IT suppliers. He wants departments to avoid signing long-term contracts which lock-in ministers to one major supplier.

The Independent says:

“In a striking case of Goliath accusing David of bullying, the American giants Microsoft and Hewlett Packard have complained that they are being unfairly picked on by the Cabinet Office minister Francis Maude.

“…the Government’s largest IT supplier Hewlett Packard has written to the Treasury to express its concern at plans by Mr Maude to award more Government contracts to smaller suppliers.

“At the same time Microsoft is fighting a rearguard action against the Cabinet Office to protect the million pounds it gets each year from Whitehall by selling popular Office programmes such as Word and Excel.

“Both companies are concerned that they are being singled out by ministers as unpopular and easy targets in their rhetoric about cutting public sector waste…

“Microsoft is attempting to prevent the Government from migrating its own computer systems from those that rely on the multinational to open-source documents that are free to use…

“Both companies look set to be disappointed – at least unless there is a change in Government. Mr Maude is understood to be looking to next year – when a significant number of big IT contracts are up for renewal – to push ahead with the new policy that could significantly denude the profits of IT multinationals.”

A Cabinet Office spokesman said it was unaware of HP’s letter to the Treasury and added: “We value the contribution companies of all sizes make to the UK economy, driving innovation, growth and jobs.”

A spokeswoman for HP told The Independent: “HP is a proud and long-standing supplier of IT products and services to Her Majesty’s Government and provides vital public services to UK citizens. We maintain an ongoing dialogue with government about our programme of work.”

In 2013, 86% (£1.49bn) of HP’s revenue from central government came from a DWP contract to supply infrastructure and systems for DWP and its job centres. “This contract is likely to be the largest single non-defence contract in central government,” says the Institute.

Capgemini, BT and Capita were the next largest suppliers to central government. Capgemini’s work is mainly from HMRC through the “Aspire” contract which is worth about £850m a year.

Departments are more open than they used to be but the Institute found big gaps in the information provided.

These gaps include:

– Contractual transparency – contracts and contractual terms, including who will bear financial liabilities in the event of failures

– Information about how well contractors perform, allowing a vital assessment of value for money

– Supply chain transparency – information including the proportion of work subcontracted to others, terms of subcontracting (particularly levels of risk transfer), and details on the types of organisation (for example, voluntary and community sector organisations) in the supply chain.

Comment

What concerns Maude and his team is not the existence of major suppliers in central government contracts but the reliance by central departments on long-term contracts that lock-in ministers and lead to costly minor changes.

Nobody wants the major suppliers to stop bidding for contracts. What’s needed is for departments to have the in-house expertise to manage suppliers adroitly, and not to be adroitly managed by their suppliers which seems to be the position at present.

Thank you to openness campaigner Dave Orr for the information he sent me which helped with this article.

Shortly after IDS was in the House of Commons yesterday defending his handling of the Universal Credit project – taking an all is well approach – the National Audit Office issued a report that drew attention to the scheme’s uncertainties, write-offs on IT so far of £41.3m, and the five-year depreciation of a further £91m spend on IT that may not be used after the migration from legacy, or transitional, UC systems to in a new “digital” solution.

The legacy Universal Credit IT infrastructure is a blend of existing DWP IT and technology adapted to UC.

The DWP had originally expected to depreciate the £91m over 15 years but, suggests the NAO, the legacy Universal Credit IT infrastructure may be of little use after 2017/2018.

Says the NAO:

“… the underlying issue [is] that the Department has spent £91.0 million on assets that will only support a limited service for 5 years, with clear consequences for public value.”

On what the NAO report calls the “longer-term programme uncertainties” it says that the “overall cost of developing assets to support Universal Credit is subject to considerable uncertainty”.

It adds:

“The Department acknowledges … that there is uncertainty over the useful economic life of the existing Universal Credit software pending the development of the alternative digital solution and uncertainty over whether Universal Credit claimants will be able to migrate from the current IT infrastructure to the new digital solution by December 2017.”

The NAO’s report on the DWP’s 2012/2013 accounts also notes the uncertainties with the new digital solution. Says the NAO:

“At this early stage in its development, there are uncertainties over the exact nature of the digital solution, and in particular:

– How it will work;

– When it will be ready;

– How much it will cost; and

– Who will do the work to develop and build it.

A Ministerial Oversight Group has approved a spend of between £25m and £32m on the new digital UC solution up to November 2014. DWP officials and suppliers plan to build a core digital service that will deliver to 100 people by then, after which it will assess the results of that work and consider whether to extend the service to increasing numbers.

The NAO suggests that some of the money spent on the new digital solution may also end up being written off. Says its report:

“As the Department develops the digital solution, so it will start to recognise some of the costs incurred as assets. Without clear and effective management, in the future the Department may also find it needs to impair some of these new digital assets.”

At a hearing of the Work and Pensions Committee on Monday Iain Duncan Smith depicted the write-off of £40m on UC software code so far as normal for any large organisation in the private or public sector that embarks on a major software-based programme. IDS said that private sector organisations typically write off a third of the money spent on software on a large project. About £120m has been spent on writing UC software code so far.

Amyas Morse, head of the NAO,refers in his report to the “considerable sums that the Department is proposing to invest in a programme where there are significant levels of technical, cost and timetable uncertainty”.

He adds:

“I reiterate both the conclusion and recommendations from my report in September. The Department has to date not achieved value for the money it has incurred in the development of Universal Credit, and to do so in future it will need to learn the lessons of past failures …”

In a short debate on UC in the House of Commons yesterday Rachel Reeves, Shadow Work and Pensions secretary, suggested Iain Duncan Smith was in denial about being in denial. She put points to him he did not answer directly.

She said that IDS had told the House of Commons on 5 September 2013 that UC will be delivered in time and on budget. On 14 October IDS made the same claim. Reeves said:

“How on earth can this be on time when in November 2011 he [IDS] said: ‘All new applications for existing benefits and credits will be entirely phased out by April 2014.’

“We have now learned that this milestone will only be reached in 2016. Will the secretary of state confirm that this is a delay of 2 years? … How can the secretary of state say that Universal Credit will be on budget when even by his own admission £40.1m is being written off on IT [software code]? What budget heading was that under?”

Reeves said IDS also revealed on Monday that another £90m will be written off by 2018. She added:

“ …The underlying problem is surely that the secretary of state has not resolved key policy decisions before spending hundreds of millions of pounds on an IT system… the secretary of state is in denial. Doubtless he’ll deny he is in denial….

IDS replied:

“ I said all along and I repeat: this programme essentially [jeers] is going to be on time. By 2017 some 6.5m people will be on the programme receiving benefits.”

He added that UC will roll out without damaging a single person. “The waste we inherited was the waste of people who didn’t listen, rushed programmes and implementing them badly.”

Dame Anne Begg, chair of the Work and Pensions Committee, said that IDS promised UC would be digital by default. “It isn’t,” she said.

“He promised that all new claims would be on UC by May 2014. They won’t… So why should anyone believe him when he says that delivery of UC is now on track?”

IDS replied: “The proof of this will be as we roll it out…”

Comment

IDS is doing what he has to do: defend the UC project at all costs; and the NAO is doing what it needs to do: highlight the uncertainties and wasted spending. If IDS admits to his doubts and concerns the opposition will jump on him. At least he is not being kept in the dark any longer by his senior civil servants. He has his own reliable information – via Howard Shiplee – and from the NAO. In 2011 he commissioned his own independent “red team” review which led to the pilot Pathfinder projects.

But the uncertainties highlighted by the NAO’s report today could be said to tacitly confirm that the transfer of all relevant claimants to UC project is unlikely to be complete before 2019/2020 at the earliest. That’s probably not something anyone in government could own up to before the 2015 general election.

And even his advisers may not tell IDS that big government IT projects can be defined by the exceptions. IDS told MPs yesterday that Pathfinder projects indicated that 90% of people are claiming universal credit online and 78% are confident about their ability to budget with monthly payments. That’s 10% who don’t claim online and 22% who may not be able to manage with monthly payments. Will the high number of exceptions prove a show-stopper?

There’s a long way to go before officials and ministers can have confidence in UC IT. But, unlike the NPfIT which had little support in the NHS, most of those involved in the UC project want it work. That could make all the difference.

Much of what Iain Duncan Smith said at the Work and Pensions Committee yesterday made sense. In essence the DWP’s plan is to delay putting most of the claimants onto the Universal Credit system until the technology is proven to work.

But there is little evidence it will work at scale, handling reliably and accurately millions of claimants and complex cases. It emerged yesterday that the DWP has still not yet agreed with suppliers a specification for the UC systems, and the latest business case has yet to be approved. How can anyone say on the basis of the limited work so far that the technology will work?

And Howard Shiplee, Director General of Universal Credit, made the point yesterday that the technology is only part of the story. For UC to work there have to be changes in culture, operational procedures within the DWP and the retraining of tens of thousands of staff.

IDS is doing what various sets of ministers and officials did during the distended failure of the NHS’s £11bn computer programme, the National Programme for IT [NPfIT]: in assuring Parliament all was well they always used the future tense. The programme “will” give everyone in England an electronic patient record. But nothing was delivered that provided evidence the promises would be fulfilled. It took a new government to admit the NPfIT was a failure.

UC differs from the NPfIT in a crucial way. The NPfIT did not need to work. It was conceived at the top without support from the NHS. Many hospitals didn’t want centrally-bought IT foisted on them. The NPfIT was wanted, in the main, by a small number of politicians, officials and big suppliers. UC is needed and wanted. Simplifying the horrifying complex benefit systems has all-party support. Shiplee is right when he says UC has to work. But he didn’t yesterday commit himself to a timeframe.

The last major benefits computerisation project – called “Operational Strategy” – took about 10 years to finish. It did not achieve the promised financial benefits and benefit systems were not combined as originally intended but, in the end, the technology worked well for its time.

If UC does work there’s every reason to believe it will be in a similar timeframe to Operational Strategy: about 10 years. But could IDS keep his job while saying UC will be fully delivered in 2020 or beyond? I doubt it.

Francis Maude laments civil service inaction over a cabinet committee mandate for centralising procurement. It “corrodes trust in the system”.

Gus O’Donnell, the former head of the civil service, confronted Francis Maude, the Cabinet Office minister in charge of civil service reform, on BBC R4’s In Defence of Bureaucracy last week.

The irreconcilable differences between O’Donnell and Maude were obvious and may be a sign of how difficult it will be for the minister to make lasting and deep cuts in IT-based spending, simplify overly complex processes, and reduce duplication.

O’Donnell spoke of the virtues of the civil service that have served the country for more than a century, particularly its impartiality. But Maude said the “value of impartiality can sometimes turn into indifference”.

O’Donnell said: “We need to be proud and passionate about the public sector ethos…” and confronted Maude for saying things about the civil service “that are not always totally positive”.

Indeed Maude said,

“Most of the civil servants I deal with are terrific, work hard and do really good work. It is not universal.”

O’Donnell then confronted Maude for saying that ministers in this and previous government have too often found that decisions they have made don’t get implemented. Is that the fault of ministers or civil servants, asked O’Donnell.

“I’d be astonished if it’s ministers,” said Maude who added,

“ I had a meeting the other day around this table … where a decision was made by a cabinet committee, more than a year ago, on the centralising of procurement. It had happened to a very minimal extent.

“If there is a problem with it, that can be flagged up and tell us. Just to go away and not do it is unacceptable … it is protection of the system. This is the speaking truth unto power thing. What is unacceptable is not to challenge a ministerial position but then not to implement it. That is what corrodes trust in the system.”

About £230bn a year – nearly a third of everything government spends – is on public sector procurement. In 2010, Nigel Smith, then CEO of the Office of Government Commerce, spoke to the “Smartgov” conference about the need for major reform in the way government buys things.

He spoke of the need for re-useable software, open source if possible, and said that suppliers regularly use fragmentation within government to maximise profits. “This has got to change,” says Smith.

He said there were 44,000 buying organisations in the public sector which buy “roughly the same things, or similar things, in basic commodity categories” such as IT and office supplies.

Massive duplication

He spoke of “massive duplication”, high tendering costs on suppliers, and a loss of value due to a lack of true aggregation. He said suppliers had little forward look of opportunities to tender and offer innovative solutions for required outcomes.

“The opportunity to improve outcomes and efficiency gains should not be constrained by contract terms and innovations should not stop at the point of contract signature.

“If we miss this opportunity [to reform] we need shooting.”

So it is clear procurement [and much else] needs reforming. But in the R4 broadcast last week (which unfortunately is no longer available) O’Donnell portrays a civil service that is almost as good as it gets.

He speaks of its permanence in contrast to transient ministers. His broadcast attacks the US system of government in which public service leaders change every time there is a new government. The suggestion is that the US system is like a ship that veers crazily from side to side, as one set of idealogues take the captain’s wheel from another. O’Donnell implies that in the UK civil service stability lasts for decades, even centuries.

The virtues he most admires in the UK civil service are what he calls the 4 “Ps” – Pace, Passion, Professionalism and Pride. His broadcast speaks of the UK civil service as a responsible, effective, continual and reliable form of administration.

Comment

O’Donnell’s most striking criticism of Maude’s intended reforms of central government goes to the heart of what Maude is trying to do: change what is happening in departments.

When, in the broadcast, Maude suggested that civil servants were not challenging ministerial decisions and were not implementing them either, O’Donnell replied that Maude was “overstating the issue”. But O’Donnell went much further and added a comment that implied Maude should leave departments alone.

O’Donnell said

“These sorts of problems mainly arise when ministers at the centre of government want to impose their will on secretaries of state who want to be left alone to run their departments as they see fit.”

Is O’Donnell giving permanent secretaries and departmental ministers his support if they continue to snub Cabinet Office reforms?

It is hardly surprising Maude is a bundle of frustrations. Central government administration cannot be reformed if departments have the autonomy to refuse to implement decisions of a cabinet committee.

It is ironic that cabinet committee decisions are binding on the entire Cabinet – but not, it seems, on departments.

Perhaps the gap between political and civil service leaders at the centre, and senior civil servants in departments, is as irreconcilable as ever. Today’s UK civil service is more than ever “Yes Minister” without the jokes. Should this be the dysfunctional basis for coalition reforms of central government?

Sir Jeremy Heywood, the current Cabinet Secretary, is perhaps a little more Maude-friendly than O’Donnell when he says in the R4 broadcast,

“There are lots of things we need to do better. Too many projects that we undertake are delayed, are over budget and don’t deliver on all the benefits that were promised. We are not as digital as the most effective private sector organisations are. We have been slow to embrace the digital revolution.”

Fine words. But if a cabinet committee’s decision on centralising procurement has little effect, how is Sir Jeremy going to convert his words into action? Or Francis Maude’s?

Last month he said in a Guardian comment that central government departments are “increasingly being held hostage by a handful of huge, often overseas, suppliers of customised all-or-nothing IT systems”.

Some senior officials are happy to be held captive.

“Unfortunately, hostage and hostage taker have become closely aligned in Stockholm-syndrome fashion.

“Many people in the public sector now design, procure, manage and evaluate these IT systems and ignore the exploitative nature of the relationship,” said Thompson.

The Stockholm syndrome is a psychological phenomenon in which hostages bond with their captors, sometimes to the point of defending them.

This month the Foreign and Commonwealth Office issued a pre-tender notice for Oracle ERP systems. Worth between £250m and £750m, the framework will be open to all central government departments, arms length bodies and agencies and will replace the current “Prism” contract with Capgemini.

It’s an old-style centralised framework that, says Chris Chant, former Executive Director at the Cabinet Office who was its head of G-Cloud, will have Oracle popping champagne corks.

In the same vein, Georgina O’Toole at Techmarketview says that central departments are staying with big Oracle ERP systems.

She said the framework “appears to support departments continuing to run Oracle or, indeed, choosing to move to Oracle”. This is “surprising as when the Shared Services strategy was published in December, the Cabinet Office continued to highlight the cost of running Oracle ERP…”

She said the framework sends a message that the Cabinet Office has had to accept that some departments and agencies are not going to move away from Oracle or SAP.

“The best the Cabinet Office can do is ensure they are getting the best deal. There’s no doubt there will be plenty of SIs looking to protect their existing relationships by getting a place on the FCO framework.”

G-Cloud and open standards?

Is the FCO framework another sign that the Cabinet Office, in trying to cut the high costs of central government IT, cannot break the bond – the willing hostage-captive relationship – between big suppliers and central departments?

The framework appears to bypass G-Cloud in which departments are not tied to a particular company. It also appears to cock a snook at the idea of replacing proprietary with open systems.

– Administrative IT systems, which cost 1% of GDP, have become a byword for complexity, opacity, expense and poor delivery.

– Departments can break free from the straitjackets of their existing systems and begin to procure technology in smaller, standardised building blocks, creating demand for standard components across government. This will provide opportunities for less expensive SMEs and stimulate the local economy.

– Open, interoperable platforms for government IT will help avoid the mass duplication of proprietary processes and systems across departments that currently waste billions.

– A negative reaction to the government’s open standards policy from some monopolistic suppliers is not surprising.

Comment

It seems that Oracle and the FCO have convinced each other that the new framework represents change. But, as Chris Chant says, it is more of the same.

If there is an exit door from captivity the big suppliers are ushering senior officials in departments towards it saying politely “you first” and the officials are equally deferential saying “no – you first”. In the end they agree to stay where they are.

Will Thompson’s comments make any difference?

Some top officials in central departments – highly respected individuals – will dismiss Thompson’s criticisms of government IT because they believe the civil service and its experienced suppliers are doing a good job: they are keeping systems of labyrinthine complexity running unnoticeably smoothly for the millions of people who rely on government IT.

Those officials don’t want to mess too much with existing systems and big IT contracts in case government systems start to become unreliable which, they argue, could badly affect millions of people.

These same officials will advocate reform of systems of lesser importance such as those involving government websites; and they will champion agile and IT-related reforms that don’t affect them or their big IT contracts.

In a sense they are right. But they ignore the fact that government IT costs much too much. They may also exaggerate the extent to which government IT works well. Indeed they are too quick to dismiss criticisms of government IT including those made by the National Audit Office.

In numerous reports the NAO has drawn attention to weaknesses such as the lack of reliable management information and unacceptable levels of fraud and internal error in the big departments. The NAO has qualified the accounts of the two biggest non-military IT spending departments, the DWP and HMRC.

Ostensible reformers are barriers to genuine change. They need to be replaced with fresh-thinking civil servants who recognise the impossibility of living with mega IT contracts.

Some central government departments spend a great deal with large suppliers on the development and maintenance of their websites (more on this in a separate post). They could save millions of pounds if they followed the example of the Government Digital Service (and were not locked into mega-outsourcing contracts that include website development).

Agile teams within the GDS are responsible for GOV.UK, which largely replaces Directgov and offers a one-stop site for government services and information.

Simple, clear, fast

The guiding principles for GDS’s agile teams were “simple, clear, fast”. Lessons from the open-source project are on the GDS website. These are some of them:

“When things get tough and you want to go back to old ways, go more agile, not less”.

Less is more (a rare attribute for a government IT project).

Use independently-verifiable data to track your programme

Agile can work at scale. “We’ve embraced it culturally and organisationally…”

The Cabinet Office minister Francis Maude said:

“In stark contrast to the way IT has been delivered in government in the past, GOV.UK can rapidly accommodate new standards for development and security, catering to emerging technologies and user requirements quickly and effectively. It has been built the way Amazon built Amazon, and in the way that BA transformed their online business, by being agile, iterative and focused on users.

“GOV.UK has also been built using open source technology, which means we don’t have to pay expensive software licensing costs.”

Comment:

A good result for the Government Digital Service. Will others in central government follow?

The Government has issued a Procurement Policy Note that sets out its thinking behind the policy that individual ICT contracts or projects should have a lifetime cost of less than £100m.

It says the £100m limit will apply to all future ICT projects, “unless a strong case can be made that doing so increases the overall cost to the taxpayer, notably increases the risk of failure or increases the security threat to the public body or Government as a whole.”

It adds that in future, “government IT contracts will be more flexible, starting with two areas (application software and infrastructure IT). The Government is introducing set breakpoints in IT contracts so there is less money locked into large lengthy contracts. The Government will look to disaggregate future contracts and deliver more flexible, cheaper solutions. This opens up opportunities for SMEs and reduces the cost to taxpayers.”

Its guidance, which takes effect from 1st April, applies to all central government departments, their agencies and non departmental public bodies and is particularly intended for those with a purchasing role.

In background notes, the briefing says:

The £100m threshold relates to all ICT contracts or projects where the total value over the life of the contract exceeds £100m regardless of how the contract is funded. It includes frameworks as well as individual call offs from frameworks. A case may be made for exemption from this policy on the grounds of national security or continuity of a critical Government service.

Based on this, the policy aims are as follows:

To reduce the risk of single supplier failure within a large project;

To increase competition and innovation by enabling more suppliers to bid and take part in projects, thereby increasing value to the taxpayer;

To procure contracts in a way which ensures maximum possible benefit to the maximum number of parties – for example, ensuring that infrastructure/services which are procured can be used by more than one department.

In a foreword, Cabinet Office minister Francis Maude says:

“The Government believes that business is the driver of economic growth and innovation, and that we need to take urgent action to boost enterprise and build a new and more responsible economic model. We want to create a fairer and more balanced economy, where we are not so dependent on a narrow range of economic sectors, and where new businesses and economic opportunities are more evenly shared between regions and industries. This guidance is founded on a desire to minimise the risk around high value contracts and ensure that Government always seeks the best possible value for money when procuring large ICT contracts.

“In the Coalition Programme the Government made a commitment to promote small business procurement in particular by introducing an aspiration that 25% of government contracts should be awarded to small and medium sized businesses. To deliver this aspiration the Prime Minister and The Minister for the Cabinet Office announced, on the 11th February 2011, a far reaching package of measures to open up public procurement to small and medium sized enterprises. The Government ICT Strategy, published at the end of March 2011 outlined a new approach to ICT procurement that improves contract delivery timelines and reduces the risk of project failure, enables greater use of SMEs, a much shorter timescale and lower costs to all parties.

“We will end the practice of attempting to cover every requirement in great detail and cover every legal eventuality in every project and contract, thereby increasing the procurement cost and timescales to all parties to unacceptable levels. We will do this by focusing on the 80/20 rule, simplifying to the core components of the requirements at every level and at every stage of a project.

On SMEs, G-Cloud and Open Systems, the policy note says procurement will:

Ensure value for money, competition and innovation by ensuring that small and medium sized enterprises (SMEs) are freely able to bid. Ensuring that any procurement process we use does not unnecessarily exclude them due to price, risk or resource associated with bidding activity. This includes reviewing our criteria and evidence required as part of the contract award process for items that might be relevant to a large company only. However, SMEs will be treated no differently in evaluation of capability, financial stability, or their ability to provide ongoing support, etc.

Ensure visibility of innovation and encourage mass purchasing of solutions available from both within the public sector and the private sector by creating a quality assured Government Cloud based procurement vehicle for Government, which enables all sizes of organisations to showcase their products, services, solutions etc. This service would also enable government to market and sell any unwanted assets it might own.

Encourage and maximise the use of Open Source/Open Standards whenever possible and where it represents a value for money solution, allowing department to re-use code, designs, templates etc. ensuring that work is not duplicated.

Comment

The Government’s aspiration to have individual ICT contracts or projects with a lifetime cost of less than £100m is a worthy one. But the proof of the pudding, as always, is in the eating. And we haven’t seen the pudding yet.